Security and the Red Hat subscription

Why do people pay Red Hat for a subscription to use our software? Simply put, a Red Hat subscription is more than just support. It includes access to our award-winning Customer Portal, expansive knowledgebase, certification ecosystem, Red Hat Product Security, committed product lifecycles, industry-leading technical and automated support services, and the ability to collaborate with peers and Red Hat experts. The Red Hat subscription provides customers with the guidance and stability needed for mission-critical environments. In addition, it provides security.

All software - no matter the license, provenance, or supply-chain involved - is at risk of having bugs, mistakes in the code which could introduce errors in the way it performs. If an error poses a security risk where an attacker could deliberately cause a program to fail, those are classified as vulnerabilities. While only a small portion of errors are vulnerabilities, the consequences of those errors can be dire.

Red Hat's Product Security team supports more than 100 different products and versions, ranging from our flagship product Red Hat Enterprise Linux and Red Hat JBoss Middleware to our emerging products including Red Hat Enterprise Linux OpenStack Platform, OpenShift, and Red Hat Enterprise Linux Atomic Host. Our products are made up of many different open source components. Red Hat Enterprise Linux 7, for example, is comprised of several thousand different packages and each one can be a separate open source project. Red Hat’s Product Security team is responsible for knowing every component of every Red Hat product. They are responsible for helping find and track issues that could pose a threat to the integrity of the code. With code coming from a variety of open source projects and contributors, this task is no easy feat. I am proud to report that in 2014, across supported versions of Red Hat Enterprise Linux, 97% of critical vulnerabilities had a customer fix the same or next day after they were public.

In addition, we continue to actively monitor the time it takes for vulnerabilities to pass through our workflow of identifying, fixing, and delivering a solution to our customers. While we are constantly striving to identify and remediate critical vulnerabilities, our security value proposition to our customers is more than just quick response time.

For any given Red Hat product, we have a single mechanism for getting updates on security issues across our components and technologies. In addition, products are supported with long lifecycles (for example, Red Hat Enterprise Linux 5, 6 and 7 are supported for 10 years), and generally maintain security updates for open source components even beyond their upstream end of life.

2014 will be remembered for a number of high profile vulnerabilities including Heartbleed, ShellShock, and Poodle. While we provided fast updates to correct these vulnerabilities that affected Red Hat products, getting solutions to customers was only part of the service we provided. When serious issues were found in the UNIX-like shell, Bash, called ShellShock in September 2014, Red Hat customers received timely advice, industry-leading security expertise, access to technical information and support, proactive notifications, Customer Portal alerts and articles, and a Red Hat Access Labs self-detection tool.

We want customers to hear about major security issues that could affect them from us first. We want our customers to have confidence in the knowledge that we are on top of any security situation that may arise and that we are committed to providing specific, timely, calm, and technically accurate advice on how the issues affect our products and services.

While security is only one piece of the Red Hat subscription, it remains an important one.